Whilst errors and messages provided to a Velocity template by Spring are automatically HTML-escaped, I cannot find any way of configuring a VelocityView so that all data it is required to render will be escaped by default. This would be really useful as it is difficult to ensure that data presented to a user appears as it should.

Is there a way of doing this or would it be a feature request?

Thanks
Matt

you'd have to wrap all of your context references in the template with an escaper such as the commons-lang class http://jakarta.apache.org/commons/lang/api/org/apache/commons/lang/StringEscapeUtils.html

There's nothing in Spring or (AFAIK) Velocity that will do this for you by default.

Regards,

There's nothing in Spring or (AFAIK) Velocity that will do this for you by default.

It seems strange to me that you have to explicitly escape data that really needs to be escaped to be safe (from a security point of view and from a working app point of view). It would be the minority of instances where text shouldn't be HTML-esaped, so, as with error handling, could we have Spring safely escape HTML unless the developer states otherwise? That would be so useful and reduce bug counts massively.

Actually, thinking about it, this should be a Velocity request. Since it would ideally be incorporated into the way Velocity is used - ie. I envisage something like:

<p>${anyVariable}</p> (escaped according to velocity configuration)

<p>#noHtmlEscape($anyVariable)</p>

<p>#htmlEscape($anyVariable)</p>

Would be great!

I use the Velocity Tools to escape HTML

first i have declared a tool in a file named toolbox.xml
(commons-lang-x.x.jar must be in the classpath)



<?xml version="1.0" encoding="UTF-8"?>
<toolbox>
<tool>
<key>escapeTool</key>
<class>org.apache.commons.lang.StringEscapeUtils</class>
</tool>
</toolbox>


then add a property to VelocityViewResolver



<bean
id="viewResolver"
class="org.springframework.web.servlet.view.velocity.Velo cityViewResolver">
<property name="suffix">
<value>.vm</value>
</property>
<property name="toolboxConfigLocation">
<value>/WEB-INF/toolbox.xml</value>
</property>
<property name="exposeSpringMacroHelpers">
<value>true</value>
</property>
</bean>


thats all now it can be used in any velocity file like this:


$escapeTool.escapeHtml&#40;"< > €"&#41;

regards
steffen

If you're using ResourceBundleViewResolver instead of VelocityViewResolver, you can load the toolbox in the properties file like:

myVelocityView.class=org.springframework.web.servl et.view.velocity.VelocityToolboxView
myVelocityView.url=/velocity_templates/myVelocityView.vm
myVelocityView.toolboxConfigLocation=/WEB-INF/classes/velocity_templates/toolbox.xml